Adrian Gropper A simple technology for linking EHRs will have a major impact on health care.

We’ve all heard the one about what does the barking dog do when it catches the car.

The dogs of health IT seem to have caught their car when the Interim Final Rule for standards for meaningful use accepted certification of “EHR Modules” and left it up to the marketplace to decide how the modules would communicate with each other. I think ONC deserves much praise for a very fair and innovation-friendly approach.

OAuth is a relatively simple Web standard for authorizing a limited link between one server and another. Some describe it as a valet key to your car that allows you, the owner, to give the valet a key that doesn’t open the trunk or let the car go more than 30 mph. When two EHR servers or two EHR modules are linked via OAuth they can be anywhere on the Web and they can be operated by completely different enterprises. The authority to establish and limit the link can come from the patient directly or from a provider under the HIPAA laws.

The impact on health care comes from the power of OAuth to catalyze modular EHRs by providing the same free interface inside and outside an institution. Current institution-centered EHR, favored by the cats, don’t need OAuth interfaces or CCRs to achieve meaningful use certification because one vendor controls one database for one institution.

Under the IFR rules, a new generation of EHR will now be possible where multiple vendors can benefit from free and efficient interfaces even within a single institution. In radiology, the DICOM standard allows CT scanners from vendor A and MR from vendor B to work seamlessly with workstations from a vendor that knows nothing about either CT or MR and long-term storage off-site at a service that works with all CT, MR and workstation vendors. Vendors seldom charge for for DICOM interfaces and many have adopted or adapted open source software for the DICOM stack as a way to reduce costs and improve quality.

Compared to DICOM, OAuth will be revolutionary. This is because DICOM is some 25 years old and never intended to cross firewalls or to support the strict HITECH act “accounting for disclosures” privacy mandates. OAuth, by working seamlessly across the Internet, enables cloud-based and patient-centered EHR architectures that will drive decision support for clinicians, informed consent for patients and rapid innovation for institutions as health records portability becomes the norm.

Elizabeth Cohen’s wonderful article on CNN [ ] and Dave deBronkart’s rallying cry just might ignite a revolution catalyzed by the simplicity and transparency of OAuth and redefine the physician-patient contract in 21′st century terms.

Adrian Gropper, MD is a founder of MedCommons, with roots in patient-controlled and patient-centered health records that go back to MIT’s Guardian Angel project. AMICAS, a more recent radiology-focused venture, pioneered the clinical use of Web browsers and protocols. Adrian is driven by the vision of doctors and patients collaborating around shared health records on the Web.

Share on Twitter

8 Responses for “The Dog’s OAuth”

  1. Alan Viars says:

    We have embraced and implemented oAuth in the Videntity platform as one of many options for authentication. I find it simpler than OpenID, although we plan to implement OpenID too.
    If I have a weak password on one site, say Twitter, then if I use oAuth to access another health site, then access to the health care site also has in essence a weak password.
    Do you think there is room for biometrics in health care? Many people think so and many other people are scared of the idea. Biometrics, implemented properly could do a lot to solve the master patient index (MPI) federation problem.
    Still the larger problem is the closed nature of many health informatics standards such as HL7. We need true open standards if we want things to really work.
    An equally large problem is the fact many doctors simply do not want to provide patient’s access to their records. Exposure to litigation is one of many reasons this is so.
    Alan Viars, CEO

  2. Alan,
    Are we talking about the same thing? OATH [ ] is about authentication of a user biometrics and such.
    OAuth [ ] is about authorization and is independent of whether the user signs in with password or biometrics or OpenID. As wikipedia puts it: “OAuth is a complementary but distinct service to OpenId.”
    That said, I agree with you that web standards tend to be more open than HL7 and other industry-specific standards and should be preferred whenever possible.

  3. Alan Viars says:

    We are talking about the same thing. oAuth = Similar to OpenID but with a narrower focus. Twitter is a pure oAuth implementation but Facebook Connect is slightly different. We setup both in recent weeks.
    Alan Viars

  4. propensity says:

    Unless it is quick, user friendly, with historical images available for evaluation by the immediate health care team, it will fall into the category of we can make it but it is not meaningfully useful to the users, thus, so what.

  5. Mark says:

    Medical records, and transfer of information needs to be live and not taking these doctors 1 or 2 days to get. This also includes getting health insurance quotes or health insurance plans..
    For example we live in Utah and if you want to get a utah health plan, their is a local company that just asks for your age and zip code and then bingo you have over 50 plans to choose from and can apply online. Saving money and time for everyone.
    Now why don’t they do this with health care records and transformation of info. They need to find companies that see ahead the future of health care and invest in these type of firms

  6. Your way of telling all in this article is actually fastidious, every
    one be able to without difficulty be aware of it,
    Thanks a lot.

  7. jabbett says:

    Three years later, have you seen any adoption of oAuth?

    Nevermind EHR interoperability, there’s a whole universe of web and mobile health apps that are craving Twitter- or Google-like connectivity with hospital systems.

  8. David says:

    Hello Jabbett, I was wondering that too. It appears that adoption has been slow, but there are some positive signs. The HL7 standards are working with OAuth. Indivo uses OAuth (Indivo was used in a recent MIT hackathon). The SMART Platform uses OAuth (the SMART Platform is funded by the feds; the ONC). I couldn’t find any examples of actual doctors or hospitals using OAuth.

Leave a Reply


The Power of Small Why Doctors Shouldn't Be Healers Big Data in Healthcare. Good or Evil? Depends on the Dollars. California's Proposition 46 Narrow Networking


Matthew Holt
Founder & Publisher

John Irvine
Executive Editor

Jonathan Halvorson

Alex Epstein
Director of Digital Media

Munia Mitra, MD
Chief Medical Officer

Vikram Khanna
Editor-At-Large, Wellness

Joe Flower
Contributing Editor

Michael Millenson
Contributing Editor

We're looking for bloggers. Send us your posts.

If you've had a recent experience with the U.S. health care system, either for good or bad, that you want the world to know about, tell us.

Have a good health care story you think we should know about? Send story ideas and tips to


Want to reach an insider audience of healthcare insiders and industry observers? THCB reaches 500,000 movers and shakers. Find out about advertising options here.

Questions on reprints, permissions and syndication to


Reach a super targeted healthcare audience with your text ad. Target physicians, health plan execs, health IT and other groups with your message.


Log in - Powered by WordPress.